[thirdparty/openssl.git] / doc / man1 / dhparam.pod

=pod

=head1 NAME

dhparam - DH parameter manipulation and generation

=head1 SYNOPSIS

B<openssl dhparam>
[B<-help>]
[B<-inform DER|PEM>]
[B<-outform DER|PEM>]
[B<-in> I<filename>]
[B<-out> I<filename>]
[B<-dsaparam>]
[B<-check>]
[B<-noout>]
[B<-text>]
[B<-C>]
[B<-2>]
[B<-5>]
[B<-rand> I<file(s)>]
[B<-engine id>]
[I<numbits>]

=head1 DESCRIPTION

This command is used to manipulate DH parameter files.

=head1 OPTIONS

=over 4

=item B<-help>

Print out a usage message.

=item B<-inform DER|PEM>

This specifies the input format. The B<DER> option uses an ASN1 DER encoded
form compatible with the PKCS#3 DHparameter structure. The PEM form is the
default format: it consists of the B<DER> format base64 encoded with
additional header and footer lines.

=item B<-outform DER|PEM>

This specifies the output format, the options have the same meaning as the
B<-inform> option.

=item B<-in> I<filename>

This specifies the input filename to read parameters from or standard input if
this option is not specified.

=item B<-out> I<filename>

This specifies the output filename parameters to. Standard output is used
if this option is not present. The output filename should B<not> be the same
as the input filename.

=item B<-dsaparam>

If this option is used, DSA rather than DH parameters are read or created;
they are converted to DH format.  Otherwise, "strong" primes (such
that (p-1)/2 is also prime) will be used for DH parameter generation.

DH parameter generation with the B<-dsaparam> option is much faster,
and the recommended exponent length is shorter, which makes DH key
exchange more efficient.  Beware that with such DSA-style DH
parameters, a fresh DH key should be created for each use to
avoid small-subgroup attacks that may be possible otherwise.

=item B<-check>

Performs numerous checks to see if the supplied parameters are valid and
displays a warning if not.

=item B<-2>, B<-5>

The generator to use, either 2 or 5. If present then the
input file is ignored and parameters are generated instead. If not
present but B<numbits> is present, parameters are generated with the
default generator 2.

=item B<-rand> I<file(s)>

a file or files containing random data used to seed the random number
generator, or an EGD socket (see L<RAND_egd(3)>).
Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.

=item I<numbits>

this option specifies that a parameter set should be generated of size
I<numbits>. It must be the last option. If this option is present then
the input file is ignored and parameters are generated instead. If
this option is not present but a generator (B<-2> or B<-5>) is
present, parameters are generated with a default length of 2048 bits.

=item B<-noout>

this option inhibits the output of the encoded version of the parameters.

=item B<-text>

this option prints out the DH parameters in human readable form.

=item B<-C>

this option converts the parameters into C code. The parameters can then
be loaded by calling the get_dhNNNN() function.

=item B<-engine id>

specifying an engine (by its unique B<id> string) will cause B<dhparam>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.

=back

=head1 WARNINGS

The program B<dhparam> combines the functionality of the programs B<dh> and
B<gendh> in previous versions of OpenSSL. The B<dh> and B<gendh>
programs are retained for now but may have different purposes in future
versions of OpenSSL.

=head1 NOTES

PEM format DH parameters use the header and footer lines:

 -----BEGIN DH PARAMETERS-----
 -----END DH PARAMETERS-----

OpenSSL currently only supports the older PKCS#3 DH, not the newer X9.42
DH.

This program manipulates DH parameters not keys.

=head1 BUGS

There should be a way to generate and manipulate DH keys.

=head1 SEE ALSO

L<dsaparam(1)>

=head1 COPYRIGHT

Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the OpenSSL license (the "License").  You may not use
this file except in compliance with the License.  You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

=cut
Commit	Line	Data
ef7eaa4c DSH	1	=pod
	2
	3	=head1 NAME
	4
09483c58	5	dhparam - DH parameter manipulation and generation
ef7eaa4c DSH	6
	7	=head1 SYNOPSIS
	8
41918458	9	B<openssl dhparam>
169394d4	10	[B<-help>]
ef7eaa4c DSH	11	[B<-inform DER\|PEM>]
ef7eaa4c DSH	12	[B<-outform DER\|PEM>]
41918458 BM	13	[B<-in> I<filename>]
	14	[B<-out> I<filename>]
	15	[B<-dsaparam>]
fc1d88f0	16	[B<-check>]
ef7eaa4c DSH	17	[B<-noout>]
	18	[B<-text>]
	19	[B<-C>]
09483c58 DSH	20	[B<-2>]
09483c58 DSH	21	[B<-5>]
41918458	22	[B<-rand> I<file(s)>]
bfa35550	23	[B<-engine id>]
41918458	24	[I<numbits>]
ef7eaa4c DSH	25
	26	=head1 DESCRIPTION
	27
	28	This command is used to manipulate DH parameter files.
	29
	30	=head1 OPTIONS
	31
	32	=over 4
	33
169394d4 MR	34	=item B<-help>
	35
	36	Print out a usage message.
	37
ef7eaa4c DSH	38	=item B<-inform DER\|PEM>
	39
	40	This specifies the input format. The B<DER> option uses an ASN1 DER encoded
	41	form compatible with the PKCS#3 DHparameter structure. The PEM form is the
	42	default format: it consists of the B<DER> format base64 encoded with
	43	additional header and footer lines.
	44
	45	=item B<-outform DER\|PEM>
	46
1bc74519	47	This specifies the output format, the options have the same meaning as the
ef7eaa4c DSH	48	B<-inform> option.
ef7eaa4c DSH	49
41918458	50	=item B<-in> I<filename>
ef7eaa4c DSH	51
	52	This specifies the input filename to read parameters from or standard input if
	53	this option is not specified.
	54
41918458	55	=item B<-out> I<filename>
ef7eaa4c DSH	56
	57	This specifies the output filename parameters to. Standard output is used
	58	if this option is not present. The output filename should B<not> be the same
	59	as the input filename.
	60
41918458 BM	61	=item B<-dsaparam>
	62
	63	If this option is used, DSA rather than DH parameters are read or created;
	64	they are converted to DH format. Otherwise, "strong" primes (such
	65	that (p-1)/2 is also prime) will be used for DH parameter generation.
	66
	67	DH parameter generation with the B<-dsaparam> option is much faster,
	68	and the recommended exponent length is shorter, which makes DH key
	69	exchange more efficient. Beware that with such DSA-style DH
	70	parameters, a fresh DH key should be created for each use to
	71	avoid small-subgroup attacks that may be possible otherwise.
	72
fc1d88f0 RS	73	=item B<-check>
fc1d88f0 RS	74
eeb21772 MC	75	Performs numerous checks to see if the supplied parameters are valid and
eeb21772 MC	76	displays a warning if not.
fc1d88f0	77
09483c58 DSH	78	=item B<-2>, B<-5>
09483c58 DSH	79
b5a379aa EK	80	The generator to use, either 2 or 5. If present then the
	81	input file is ignored and parameters are generated instead. If not
	82	present but B<numbits> is present, parameters are generated with the
	83	default generator 2.
09483c58	84
41918458	85	=item B<-rand> I<file(s)>
09483c58 DSH	86
09483c58 DSH	87	a file or files containing random data used to seed the random number
9b86974e	88	generator, or an EGD socket (see L<RAND_egd(3)>).
35ed393e	89	Multiple files can be specified separated by an OS-dependent character.
b87ef946	90	The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
a4cfd178	91	all others.
09483c58	92
41918458	93	=item I<numbits>
09483c58 DSH	94
09483c58 DSH	95	this option specifies that a parameter set should be generated of size
b5a379aa EK	96	I<numbits>. It must be the last option. If this option is present then
	97	the input file is ignored and parameters are generated instead. If
	98	this option is not present but a generator (B<-2> or B<-5>) is
	99	present, parameters are generated with a default length of 2048 bits.
09483c58	100
ef7eaa4c DSH	101	=item B<-noout>
	102
	103	this option inhibits the output of the encoded version of the parameters.
	104
	105	=item B<-text>
	106
	107	this option prints out the DH parameters in human readable form.
	108
	109	=item B<-C>
	110
	111	this option converts the parameters into C code. The parameters can then
bbd86bf5	112	be loaded by calling the get_dhNNNN() function.
ef7eaa4c	113
bfa35550 RL	114	=item B<-engine id>
bfa35550 RL	115
e5fa864f	116	specifying an engine (by its unique B<id> string) will cause B<dhparam>
bfa35550 RL	117	to attempt to obtain a functional reference to the specified engine,
	118	thus initialising it if needed. The engine will then be set as the default
	119	for all available algorithms.
	120
ef7eaa4c DSH	121	=back
ef7eaa4c DSH	122
09483c58 DSH	123	=head1 WARNINGS
	124
	125	The program B<dhparam> combines the functionality of the programs B<dh> and
b0700d2c	126	B<gendh> in previous versions of OpenSSL. The B<dh> and B<gendh>
1bc74519	127	programs are retained for now but may have different purposes in future
09483c58 DSH	128	versions of OpenSSL.
09483c58 DSH	129
ef7eaa4c DSH	130	=head1 NOTES
	131
	132	PEM format DH parameters use the header and footer lines:
	133
	134	-----BEGIN DH PARAMETERS-----
	135	-----END DH PARAMETERS-----
	136
	137	OpenSSL currently only supports the older PKCS#3 DH, not the newer X9.42
	138	DH.
	139
	140	This program manipulates DH parameters not keys.
	141
	142	=head1 BUGS
	143
ef7eaa4c DSH	144	There should be a way to generate and manipulate DH keys.
	145
	146	=head1 SEE ALSO
	147
9b86974e	148	L<dsaparam(1)>
ef7eaa4c	149
e2f92610 RS	150	=head1 COPYRIGHT
	151
	152	Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
	153
	154	Licensed under the OpenSSL license (the "License"). You may not use
	155	this file except in compliance with the License. You can obtain a copy
	156	in the file LICENSE in the source distribution or at
	157	L<https://www.openssl.org/source/license.html>.
	158
	159	=cut